One option is obviously to use shared storage. That's a least desirable option.
If I schedule the search to run tscollect, it will be run on a random search head in the cluster, right?
So another option would be to save the search to all cluster members and then use a cron job on each one to run the search and generate the namespace's tsidx files...?
Is there any other cleaner way to do this?
↧
What are the options for synchronizing namespace tsidx files in a search head cluster?
↧
How do you set up an alert for when an application process is running or hung?
There are a number of application processes in our environment which either go down or stop responding. I am trying to setup an alert in the event if process is down or hung in Unix/Linux.
Can anyone assist with this please?
↧
↧
Splunk Web Cert Self Signing - Invalid Argument
Hi All,
I am pretty much a novice on Splunk certificate management.
I have ran into an error in trying to self-sign splunk web certs.
Command string and output as follows:
------------------------------------------------------------
C:\>"c:\Program Files\Splunk\bin\splunk.exe" createssl web-cert -n -l 3072 Generating a 3072 bit RSA private key
..............................++
................................................................................
........................................................++
writing new private key to 'privKeySecure.pem'
-----
Signature ok
subject=/CN=,server_name>/O=SplunkUser
c:\Program Files\Splunk\C:\Program Files\Splunk\etc\auth\splunkweb\cert.pem: Invalid argument
Command failed (ret=1), exiting.
--------------------------------------------------------------
The results from this is that I am getting a new privateKeySecure.pem but not a new cert.pem.
The private key is being dropped into the $\etc\auth folder.
I am running Splunk Ent. Version 7.1.0 on windows.
Web.conf in local $\etc\system\local looks like this:
-------------------------------
[settings]
enableSplunkWebSSL = 1
privKeyPath = C:\Program Files\Splunk\etc\auth\splunkweb\server.key
caCertPath = C:\Program Files\Splunk\etc\auth\splunkweb\cert.pem
-------------------------------
I am pretty sure the problem solution lies in the output where the following is not a correct path, but a double up:
"c:\Program Files\Splunk\C:\Program Files\Splunk\etc\auth\splunkweb\cert.pem"
--------------------------------
Any thoughts or ideas on howto fix would be greatly appreciated.
Cheers
Jim
↧
How to hide progress bar above table?
I have an html dashboard with a stats table. The blue progress bar blinks until the search is complete, but then just remains there in the top left corner. Is there a setting to remove/hide the progress bar entirely?
Here is what it looks like after the search finishes:
![alt text][1]
[1]: /storage/temp/255799-splunkquestion.jpg
↧
Storage Estimation : Daily data rate
Hello Folks,
I am trying to identify daily data ingestion for indexes. Based on this I want to calcualte storage requirement taking retention/RF/SF into account.
I am using below query to identify daily data rate but it seems it is not the correct way to identify as results are showing too much data beyond license capacity.
index=_internal source=*metrics.log group=per_index_thruput | eval GB=kb/(1024*1024) | timechart span=1d sum(GB) by series | addtotals fieldname=TotalDailyVolume(GB) | sort - _time
When I checked from Monitoring Console - License usage for last 30 days split by indexer - results are quite different and much less from above query.
I was under the impression that from query above we can get the daily data ingestion rate but look like i am missing something here.
Can you please advise and help me understanding this?
Thanks
↧
↧
How to use SPL to count the number of clients of a deployment server?
We know we can see the number of clients on the Forwarder Management page of the deployment server, but I want to show it on the dashboard, Can I use SPL to count the number of clients on the deployment server? By the way, my splunk architecture is search header cluster + index cluster.
↧
make dashboard more enhanced/beautiful
Is there a way I can use bootstrap or anything in order to make my boring dashboard view to more beautiful and catchy
↧
Batch file doesn't work
Hello,
I have faced when splunk launch a bat file:
ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\etc\apps\SQLFailed_logon\bin\script\LogCheck.bat"" **set was unexpected at this time.**
When I try to run this file by myself it's works great. But when the batch will start Splunk UF it have an error: "set was unexpected at this time" and strange that this script works at the similar servers with no errors but at the some servers with errors.
↧
Running mulitple reports with a certain time gap
Hi everyone,
I have 3 reports dependent on the outcome of each other
The 1st report generates a FirstReportOutputcsv, which is the input for the Second report
The 2nd report generates a SecondReportOutputcsv, which is the input for the Third report.
The 2nd report generates a ThirdReportOutputcsv, which is the final output.
As of now, I have scheduled these reports at a certain time every day.
Is it possible to run all 3 reports from the search head with a time gap of 5 minutes?
Thanks a lot in advance.
↧
↧
how to find the request per sec by organization ?
Hi
I have an event which is comprised of OrgName, RequestName and others. How do i find the the average & max request per sec by OrgName using per_second() function ?
I tried doing a timechart of per_sec() by OrgName. But it gives me every second, what is the per_second() with OrgName as the column names. I want to calculate average & max request per sec by OrgName ?
Could you please let me know how to achieve this.
↧
Any handy way to know what cipher Splunk server support?
I want to tighten the security by only allowing certain cipher to be configured. Any handy tool to check what cipher Splunk currently supported?
↧
Leave out timestamp from exported CVS (Scheduled)
Hi all,
Splunk newbie here, I've searched the answers but can't find an answer...
I have saved a series of searches as reports and scheduled them to run periodically and to e-mail me the output. The reports, schedule and e-mail all work perfectly - EXCEPT for that the csv filenames have been suffixed with a timestamp, which I do not want (it has also truncated some of the filenames - which need to be picked up by a VBA script for another process)
Is there any way to stop the timestamp being added? Thanks.
↧
Leave out timestamp from exported CVS filename (Scheduled)
Hi all,
Splunk newbie here, I've searched the answers but can't find an answer...
I have saved a series of searches as reports and scheduled them to run periodically and to e-mail me the output. The reports, schedule and e-mail all work perfectly - EXCEPT for that the csv filenames have been suffixed with a timestamp, which I do not want (it has also truncated some of the filenames - which need to be picked up by a VBA script for another process)
Is there any way to stop the timestamp being added? Thanks.
↧
↧
Restarting Splunk messes up dashboards
I have added libraries on my search app like JQuery-UI and fontawesome icons that I use in my dashboards but for some reason every time I restart Splunk or the search head, the dashboards say they can't find these libraries but when I check the server they are still there. Then, if I restart it again, the dashboard works. Does anyone know why this might be happening or what I can do to avoid having to remember to restart it twice every time? Thanks
↧
Control-M (bmc software) integration in Splunk for job scheduling monitoring
Hi all,
We wonder to know if there is a way to integrate the alerts generated by Control-M (BMC software tool to manage execution of jobs) in Splunk.
We know that Splunk should able to monitor the log table of the Control-M database and/or monitor the SYSLOG folders in the application server of Control-M, but we would like to know if there is an add-on or and app capable of integrating Control-M in Splunk.
Kind regards,
Alberto
↧
Accessing whole row / other fields in table format colorPalette expression in Simple XML - 'value' only?
Hello Splunkers,
I am developing dashboards in a Splunk instance which I don't manage, so I have little room for adding custom js, and frankly neither do I want to work with CSS and js, to keep things easily movable.
I have a table where the value of one field/column determines the overall status of the row, and I have a colour palette doing what I need it to do. This works fine; high values are red, low are green.
However, I would ideally like to be able to change the colouring of other columns based on the same field. I could not find any documentation stating that "value" is the only variable available to the expression in ``. My question then is: **can I refer to the whole row or other fields in the colorPalette expression for a given column?** I tried the usual suspects like `row.` or simply ``, but to no avail.
So, can this be done? Or is the colouring evaluated purely in the context of a single cell? Does anybody know if Splunk is going to introduce explicit row colouring at one point?
Actually another use case for what I'm asking is if one wants to colour a column or columns based on another field that is not even displayed - for example when you have a calculation that determines some internal "score" value, which in itself is of no interest to the user.
Many thanks,
Wojciech
↧
how to add dynamic conditions?
I want to add dynamic conditions.
When June 2018, the query condition was " |search searchDate = 201806 createDate !=“2018/07" "to return n data.
When July 2018, the query condition was " |search createDate =“2018/07" " to return 2n data.
It is important to complete in a query.
for example
If now()==201806
| search searchDate = 201806 createDate !=“2018/07"
If now() == 201807
| search createDate =“2018/07"
thanks very much
↧
↧
Changing Display columns depending on sourcetype
In Dashboard depending on sourcetype selected in the dropdown list, we want to display different fields on the dashboard. Since fields can change in the future we have created a lookup for it. So depending on source type the lookup should be queried and get the display columns. I am trying something like below but doesn't seem to work
index=nirds sourcetype="XXX"|table [|inputlookup SourceType-Attributes sourcetype="XXX" | fields Attribute]
↧
How to write a corn schedule to execute in every 5 mins between 7 am to 12 min-night ?
How to write a corn schedule to execute in every 5 mins between 7 am to 12 min-night ?
↧
Seeing all the forwarded data on indexer but UF is inactive
Hi splunkers ,
I have forwarded the data using universal forwarder to heavy forwarder and then to indexer , where i am seeing all my data of agent server , but problem is dont know why UF is still saying that "configured but inactive "
At universal forwarder end i am seeing in splunkd.log :
08-14-2018 07:03:34.401 -0400 INFO TcpOutputProc - Initializing connection for non-ssl forwarding to 165.113.21.66:9997
08-14-2018 07:03:34.538 -0400 INFO TcpOutputProc - Connected to idx=165.113.21.66:9997, pset=0, reuse=0.
08-14-2018 07:14:15.696 -0400 INFO TcpOutputProc - Initializing connection for non-ssl forwarding to 165.113.21.66:9997
08-14-2018 07:14:15.814 -0400 INFO TcpOutputProc - Connected to idx=165.113.21.66:9997, pset=0, reuse=0.
08-20-2018 06:12:36.906 -0400 INFO TcpOutputProc - Initializing connection for non-ssl forwarding to 165.113.21.66:9997
08-20-2018 06:12:37.038 -0400 INFO TcpOutputProc - Connected to idx=165.113.21.66:9997, pset=0, reuse=0.
and this as also dont know why
[root@abc.com bin]# ./splunk list forward-server
Active forwards:
None
Configured but inactive forwards:
165.113.21.66:9997
and at heavy forwarder end
[root@def.com bin]# ./splunk display listen
Your session is invalid. Please login.
Splunk username: admin
Password:
Receiving is enabled on port 9997
in splunkd.log at heavy forwarder end :
08-14-2018 07:04:26.163 -0400 INFO TcpInputProc - clustering is enabled but ACK not enabled on forwarder=165.113.20.239
Everything is connected but still why i am seeing this "Configured but inactive forwards:" i dont know why and i also have tried telnet from universal forwarder for heavy forwarder server
[root@abc.com bin]# telnet def.com 9997
Trying def.com...
Connected to def.com.
Escape character is '^]'.
Guys please help although i am receiving all my data at indexer but still i want to know why i am seeing the "configured but not active" entry in universal forwarder
↧